Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    102s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 15:37

General

  • Target

    0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe

  • Size

    354KB

  • MD5

    83761132829c5db2b954ef6a641cac00

  • SHA1

    f8c0006b25632be95488a939fe371481aa7c3327

  • SHA256

    0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4

  • SHA512

    5c51ee072f10b229997a3ae789e10646cd360019949ee1ae37b518ba7af6e7b67c73de76b519444d087052607198bb48977676d7b028ce2c44733e209a682a99

  • SSDEEP

    6144:aTfFDbRnOTrz+7cJMY/jJNjtMxAsidvZMi7hUAPqozEmdN+pb1usGodoWp4bCMCj:I5Of/jJNjt4AvdBMKUGqoTuDuMdH4JCj

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe
    "C:\Users\Admin\AppData\Local\Temp\0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\windows\temp\dnf.exe
      "C:\windows\temp\dnf.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" 272F.ime,Runed C:\windows\temp\dnf.exe
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5016
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          4⤵
          • Modifies registry class
          PID:4708
    • C:\windows\temp\panlong.exe
      "C:\windows\temp\panlong.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1492

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\272F.ime

    Filesize

    42KB

    MD5

    2f2d22097457f546ab9bdc242efbd463

    SHA1

    5583f45a7a090b3505f225a60caf4c49f7ee55b8

    SHA256

    418f7d4358dc62ff7758171aca1edf1a25eddc376ceaa7e7baf2c19b6f197228

    SHA512

    386b6e1e95bdfab2a7a53a71fdac71201ae43a9b7f99c23b0d9b64d048e92dae397cc2c32d386834db4d2eea871a01460012968dcf98dfdd92eacd88eeb3779f

  • C:\Windows\SysWOW64\272F.ime

    Filesize

    42KB

    MD5

    2f2d22097457f546ab9bdc242efbd463

    SHA1

    5583f45a7a090b3505f225a60caf4c49f7ee55b8

    SHA256

    418f7d4358dc62ff7758171aca1edf1a25eddc376ceaa7e7baf2c19b6f197228

    SHA512

    386b6e1e95bdfab2a7a53a71fdac71201ae43a9b7f99c23b0d9b64d048e92dae397cc2c32d386834db4d2eea871a01460012968dcf98dfdd92eacd88eeb3779f

  • C:\Windows\Temp\dnf.exe

    Filesize

    32KB

    MD5

    7f13038784e1fb3fb68fde244dbe26ae

    SHA1

    16254b823bd771621ea37a9a768e707b93a40471

    SHA256

    babad5bee83c04bc76ed15553b2f03d76a9ed0a0529a9fde694a8e88e82ac8f5

    SHA512

    340439d33bad388d518d68fb1cd18652c64179c3090e64aaeae2c49a45e90ba18a0f7f886602215a60b59b7c05548075e3f7dce76628a72bbdb585c9fafebeb0

  • C:\Windows\Temp\panlong.exe

    Filesize

    412KB

    MD5

    e28cb009daf185fd3176045f4005b787

    SHA1

    a0816a05b531e590d91e29bf84f0fcba90a0ca22

    SHA256

    ce3f8cba4fe408e6f1c9ddebaa7523fe361ac494fe95ba83bdd202c457fd0963

    SHA512

    88e3f179655d8ced7e83a2674f585abba481157ffdee9014c5d9deca7d52bd90cd624c7b94f663752743c64c9a1648947e97a49e5cbc8e4536383ac748243238

  • C:\windows\temp\dnf.exe

    Filesize

    32KB

    MD5

    7f13038784e1fb3fb68fde244dbe26ae

    SHA1

    16254b823bd771621ea37a9a768e707b93a40471

    SHA256

    babad5bee83c04bc76ed15553b2f03d76a9ed0a0529a9fde694a8e88e82ac8f5

    SHA512

    340439d33bad388d518d68fb1cd18652c64179c3090e64aaeae2c49a45e90ba18a0f7f886602215a60b59b7c05548075e3f7dce76628a72bbdb585c9fafebeb0

  • C:\windows\temp\panlong.exe

    Filesize

    412KB

    MD5

    e28cb009daf185fd3176045f4005b787

    SHA1

    a0816a05b531e590d91e29bf84f0fcba90a0ca22

    SHA256

    ce3f8cba4fe408e6f1c9ddebaa7523fe361ac494fe95ba83bdd202c457fd0963

    SHA512

    88e3f179655d8ced7e83a2674f585abba481157ffdee9014c5d9deca7d52bd90cd624c7b94f663752743c64c9a1648947e97a49e5cbc8e4536383ac748243238

  • memory/2900-135-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB